GDPR

GDPR: practical guides for SMBs

38 articles

The GDPR applies to every business that handles personal data. If you have customers, employees, or a website, that includes you. Compliance doesn't have to be overwhelming, though. This category collects practical guides, checklists, and explainers that help SMBs tackle GDPR requirements one step at a time.

Agnes standing next to three filing cabinets in three colors for HR, Retail and Accounting, each with a different timer
GDPR, Compliance

Data Retention Periods by Sector: How Long to Keep Personal Data in HR, Retail and Accounting

How long must you keep personal data in HR, retail, or accounting? Sector-specific retention periods based on GDPR and Dutch statutory law.

Read more
Agnes standing in front of a closed door labeled 'ePrivacy Reform', holding an action list
GDPR, Compliance

Cookie Law 2026: The ePrivacy Reform Is Dead — Here's What to Do Now

The ePrivacy Regulation has been officially abandoned. Current cookie rules remain in force — and the Dutch DPA is enforcing more strictly than ever. Here's what to do now.

Read more
Agnes reviewing a contract at her laptop, professional pose, with a CRM database icon visible on the screen.
GDPR, Compliance

HubSpot Data Processing Agreement: What You Need to Arrange for GDPR

Using HubSpot and want to stay GDPR-compliant? Find out where to accept HubSpot's DPA, which sub-processors are in play, and how to log HubSpot in your processing register.

Read more
Agnes with a checklist and an eraser, focused expression, documents with items being ticked off
GDPR, Compliance

Right to Erasure: The 7 Mistakes Most Companies Still Make

In February 2026, the EDPB published a coordinated review of how 32 supervisory authorities handle erasure requests. The verdict: the same seven failures, everywhere. Here is how to check whether your SMB is making them too.

Read more
Agnes pulls a processing register from a drawer and places it next to an AI Act document, with a satisfied smile
AI Act, GDPR, Compliance

Your GDPR processing register is already your AI Act dossier: you are 70% done

Your existing GDPR processing register covers 70% of your AI Act obligations. Here is what you can reuse, what is still missing, and how to go from GDPR-compliant to AI Act-ready.

Read more
Agnes connecting two documents (one with a GDPR logo, one with an AI Act logo) with a bridge between them, smiling cleverly with a lightbulb above her head
GDPR, AI Act, Compliance

Your processing register is already 70% of your AI Act dossier, here's how to connect them

Your GDPR processing register already covers 70% of what the AI Act asks of you. See which fields overlap and how to handle both dossiers in one workflow.

Read more
Agnes reviews a technical compliance scan on her laptop and realises something is missing
GDPR, Compliance, SMB

GDPR Compliance Is More Than Running a Technical Scan

Automated compliance scanners check your cloud settings. That is useful, but it covers a small slice of GDPR. Here is what real compliance requires beyond the technical layer.

Read more
Agnes holding a certification badge with EU stars as an alternative to an SCC document
GDPR, Compliance

Europrivacy: The First GDPR Data Transfer Tool That Goes Beyond SCCs

The EDPB approved Europrivacy as a transfer safeguard — the first GDPR certification to replace SCCs. What does this mean for your SaaS vendors?

Read more
Agnes reviews a map of EU privacy laws on a whiteboard and points to GDPR
GDPR, AI Act, Compliance, SMB

Which EU data protection laws apply to your business?

GDPR, AI Act, ePrivacy, NIS2: which EU data protection laws apply to your business? This overview explains which law applies when, in plain language.

Read more
Agnes holding a processing register with an 'optional?' label, giving a confident thumbs up
GDPR, Compliance

Do I Still Need a Processing Register? The Digital Omnibus Explained for SMBs

The Digital Omnibus may exempt small companies from keeping a processing register. Here are three reasons to maintain it anyway — even if it's no longer required.

Read more
Agnes reviews a data type overview on her screen and marks which data qualifies as personal data
GDPR, Compliance, SMB

What counts as personal data under GDPR? A practical guide for SMBs

Personal data covers more than names and emails. IP addresses, device IDs, and indirect identifiers all count. Read the GDPR definition in plain language.

Read more
Agnes holding a balance scale as a symbol of the AP's enforcement assessment
GDPR, Compliance

How the Dutch DPA Decides Whether to Fine You: 2026 Enforcement Policy Explained

The Dutch DPA published its 2026 enforcement policy: transparency, dark patterns, and profiling are top priorities. Learn how the escalation ladder works and how to reduce your risk.

Read more
Agnes compares two documents on her desk: one with GDPR text and one with AI Act requirements
GDPR, AI Act, Compliance

GDPR and the EU AI Act: how the two laws work together

Many SMBs fall under both GDPR and the EU AI Act at the same time. This article explains where the two laws overlap, where they differ, and what to do.

Read more
Agnes reviews a documentation template for automated decision-making on her laptop, with legal texts on a second screen
AI Act, GDPR, Compliance

How to document automated decisions that affect people (GDPR Art. 22 + AI Act)

Your AI tool scores job applicants, sets customer prices, or assesses loan applications. That triggers GDPR Article 22 and the EU AI Act. Here is what you need to document.

Read more
Agnes reviews a data retention schedule per tool on her screen, with a calendar in the background
GDPR, Compliance, SMB

How to build a data retention policy you'll actually enforce

Every compliance checklist says 'document your retention periods.' But how do you actually delete customer data from a CRM your sales team uses every day? This guide shows you how.

Read more
Agnes reviewing a privacy risk assessment on her laptop in a small office
GDPR

GDPR Risk Assessment for SMBs: When You Need One and How to Do It

GDPR Article 32 requires risk-based security and Article 35 mandates a DPIA for high-risk processing. A practical five-step assessment for SMBs.

Read more
Agnes reviewing a DPIA document with a magnifying glass
GDPR

DPIA Guide for SMBs: When You Need One and How to Complete It

When does GDPR require a DPIA — and what must it contain? Practical guide for SMBs with concrete examples, a step-by-step process, and a checklist you can use.

Read more
Agnes maps out all AI tools in her organization with a structured inventory
AI Act, GDPR, Compliance, SME

How to Build an AI Inventory for EU AI Act Compliance (Step-by-Step)

Learn what an AI inventory is, why you need one under the EU AI Act, and how to build one step by step as an SME. With practical template and real-world examples.

Read more
An employee working on a laptop with various SaaS app icons around her, some approved, some unknown
GDPR

GDPR Rules for Business Software: Which Tools Can Employees Use?

GDPR sets rules for business software employees use. Here is how to tackle shadow IT, evaluate tools, and build a software register.

Read more
Agnes runs a GDPR audit with a checklist and laptop for a small business
GDPR, Compliance, SMB

How to Run a GDPR Audit as an SMB (Practical Steps)

A GDPR audit doesn't have to be complicated. Learn what to check, how to approach it, and how to stay compliant as an SMB. With a practical checklist.

Read more
Agnes checks data processing agreements with a checklist next to a stack of supplier folders
GDPR

Data Processing Agreement (DPA): What Must Be in It and How to Close One

What goes in a data processing agreement under GDPR? The 7 mandatory clauses from Article 28, how to request a DPA from suppliers, and what to do when a vendor refuses.

Read more
Agnes reviews a compliance checklist and spots a missing GDPR requirement
GDPR, Compliance, SMB

7 Common GDPR Mistakes SMBs Make (And How to Avoid Them)

The 7 most common GDPR mistakes small and medium businesses make. With real enforcement examples and practical steps to fix each one.

Read more
Agnes builds a processing register step by step, surrounded by documents and data symbols
GDPR

Build a GDPR Processing Register in 7 Steps

Build a GDPR processing register in 7 steps. Real examples for SMBs — audit-ready, Article 30 compliant, and built for client questionnaires.

Read more
Agnes stands next to a large padlock with a shield, floating document icons around her
GDPR

GDPR Encryption: What Article 32 Requires

What encryption does GDPR Article 32 actually require? The exact standards Dutch SMBs must implement: AES-256, TLS 1.2, and full-disk encryption.

Read more
Agnes handles a GDPR data subject request with a checklist
GDPR, Compliance, SMB

GDPR data subject rights: what they are and how to handle them

All GDPR data subject rights explained, with practical guidance on handling access, erasure, and other GDPR requests within your organisation.

Read more
Agnes follows a clear step-by-step process after discovering a data breach
GDPR, Compliance, SMB

Data Breach Response Plan: GDPR Step-by-Step Guide for SMBs (72-Hour Deadline)

72-hour deadline, regulator notification, data subject letters — this step-by-step GDPR response plan for SMBs covers every action, in the right order, so nothing gets missed.

Read more
Agnes discussing GDPR priorities with a vendor while holding a checklist
GDPR, Compliance, SMEs

GDPR Compliance Checklist for Dutch Tech SMBs — Audit-Ready in 2026

Complete GDPR checklist for Dutch tech SMBs: governance, DPA agreements, data retention, vendor security, and the evidence you need to pass an AP audit in 2026.

Read more
Team discussing AI governance and compliance
AI, GDPR

AI Governance for EU SMEs: A Practical Framework for AI Act Compliance

AI tools in every team, but no governance in place? This step-by-step framework covers AI inventory, risk tiers, GDPR checks, and a 14-day rollout plan for EU SMEs.

Read more
A cartoon-style image of Agnes placing a plank between two cliffs, symbolizing the balancing test for legitimate interest under GDPR.
GDPR

Understanding Legitimate Interest under GDPR

Learn what legitimate interest means under GDPR, when you can use it as a legal basis, and why a balancing test is essential.

Read more
A person flying a plane with a eu flag behind it.
GDPR

Why You Need to Care About EU Privacy Laws Even Outside of the EU

GDPR and ePrivacy apply based on who you serve, not where you are. Learn why respecting EU privacy laws matters even if your company is outside Europe.

Read more
A person holding a phone and an envelope
General, GDPR

GDPR Cold Calling: What's Still Allowed?

B2B cold outreach is still legal under GDPR — if you follow the rules. Here is what ePrivacy allows, where the line is, and how to stay on the right side of it.

Read more
Picture showing a user choosing between accept or deny
GDPR

What Data Needs a User’s Consent?

Learn when user consent is mandatory under GDPR. Find out why legitimate interest is not enough for sensitive data, tracking, and behavioral advertising.

Read more
A person standing next to a trash can or trash truck, holding a piece of paper or a folder that represents data
GDPR

How to build a GDPR-compliant data retention policy

Learn how to create a GDPR-compliant data retention policy to protect personal data and ensure legal compliance with our step-by-step guide.

Read more
A flyer with personal details overlaid with a GDPR icon (like a lock or shield), suggesting that while data might be public, it’s still protected.
GDPR

Just because it’s online doesn’t mean it’s fair game: GDPR and public data

Understand GDPR's impact on public data usage and learn why accessing doesn't equal permission for personal information.

Read more
A person pressing a laptop with a lock above it
GDPR

The role of encryption in GDPR compliance

Discover how encryption is vital for GDPR compliance and learn practical steps to protect your data from breaches and fines.

Read more
An alert box, a concerned professional, and subtle cybersecurity symbols in the background.
GDPR, NIS2

What is NIS2?

NIS2 is the EU's updated cybersecurity directive, enhancing protections for critical infrastructures and ensuring businesses take cybersecurity seriously.

Read more
Captain steering a ship and crew members working
GDPR

Data Controllers and Processors Under GDPR: What Dutch SMBs Need to Know

What is a data controller versus a data processor under GDPR? Practical explanation for Dutch SMBs: who is liable, when you need a DPA, and common mistakes to avoid.

Read more
A lady holding a clipboard with GDPR saying and a checklist
GDPR

Why GDPR is so important?

Discover why GDPR compliance is essential for businesses and how ComplianceHive simplifies the process, ensuring data protection and efficiency.

Read more

Frequently asked questions

Does the GDPR apply to small businesses?

Yes. The GDPR applies to any organisation that processes personal data, regardless of size. If you store customer emails, employee records, or website analytics data, you need to comply. There is no small-business exemption.

What GDPR mistakes do SMBs make most often?

Common ones: missing or incomplete records of processing activities, outdated privacy policies, and no data processing agreements with vendors. Many small businesses also lack clear retention periods for the data they collect.

Where should I start with GDPR compliance?

Map what personal data you collect, where it is stored, and who can access it. Write that down in a record of processing activities. That inventory becomes the foundation for everything else, from privacy policies to vendor assessments.